b'                     OFFICE OF\n             THE INSPECTOR GENERAL\n                   U.S. NUCLEAR\n             REGULATORY COMMISSION\n\n\n                       Office of the Inspector General\n                            System Evaluation of\n                        Listed Systems That Process\n                   Safeguards and/or Classified Information\n\n                        OIG-05-A-14     August 4, 2005\n\n\n\n              EVALUATION REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                         August 4, 2005\n\n\n\nMEMORANDUM TO:             Luis A. Reyes\n                           Executive Director for Operations\n\n\n\nFROM:                      Stephen D. Dingbaum/RA/\n                           Assistant Inspector General for Audits\n\n\nSUBJECT:                   SYSTEM EVALUATION OF LISTED SYSTEMS\n                           THAT PROCESS SAFEGUARDS AND/OR\n                           CLASSIFIED INFORMATION (OIG-05-A-14)\n\n\nAttached please find the Office of the Inspector General\xe2\x80\x99s report, System\nEvaluation of Listed Systems That Process Safeguards and/or Classified\nInformation. Richard S. Carson Associates, Inc. conducted this evaluation on our\nbehalf and determined that:\n\n   \xc2\xbe The inventory of listed systems is inaccurate and information is\n     inconsistent.\n   \xc2\xbe Some listed systems lack required security plans.\n   \xc2\xbe Some security controls are not implemented as required.\n\nThe weaknesses identified are not significant deficiencies or reportable\nconditions. During an exit conference on July 15, 2005, NRC officials provided\ncomments concerning the draft audit report and opted not to submit formal\nwritten comments to this report.\n\nIf you have any questions or wish to discuss this report, please call me at\n415-5915 or Beth Serepca at 415-5911.\n\nAttachment: As stated\n\x0cDistribution\n\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\nSafeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety and\n  Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nWilliam N. Outlaw, Director of Communications\nWilliam N. Outlaw, Acting Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nWilliam F. Kane, Deputy Executive Director for Reactor\n  and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research,\n  State and Compliance Programs, OEDO\nJacqueline E. Silber, Deputy Executive Director for Information Services\n   and Administration, and Chief Information Officer, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nMichael R. Johnson, Director, Office of Enforcement\nEdward T. Baker, Director, Office of Information Services\nJames F. McDermott, Acting Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nCarl J. Paperiello, Director, Office of Nuclear Regulatory Research\nPaul H. Lohaus, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\n\x0c                            Office of the Inspector General\n                                 System Evaluation of\n                            Listed Systems That Process\n                       Safeguards and/or Classified Information\n\n\n\n\n                             Contract Number: GS-00F-0001N\n                           Delivery Order Number: DR-36-03-346\n\n                                                        July 29, 2005\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c[Page intentionally left blank]\n\x0c                                                                                   System Evaluation of Listed Systems\n\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n         On December 17, 2002, the President signed the E-Government Act of 2002, which\n         included the Federal Information Security Management Act (FISMA) of 2002. FISMA\n         outlines the information security management requirements for agencies, which include\n         (1) an independent evaluation of an agency\xe2\x80\x99s information security program and practices\n         and (2) an evaluation of the effectiveness of information security control techniques.\n         FISMA also requires an assessment of compliance with requirements and related\n         information security policies, procedures, standards, and guidelines.\n\n         As part of the FY 2005 FISMA independent evaluation of the Nuclear Regulatory\n         Commission\xe2\x80\x99s (NRC) information technology security program, Richard S. Carson\n         Associates, Inc. (Carson Associates), reviewed security controls for listed systems that\n         process safeguards1 and/or classified2 information.\n\n         Listed systems represent one of four3 categories used by NRC to group the agency\xe2\x80\x99s\n         systems on its master inventory of systems. A listed system is a computerized\n         information system or application that (1) processes sensitive information requiring\n         additional security protections and (2) may be important to an NRC office\xe2\x80\x99s or region\xe2\x80\x99s\n         operations, but which is not a major application when viewed from an agency\n         perspective. Most of the systems in this category process safeguards and/or classified\n         information. Many of the listed systems processing safeguards and/or classified\n         information are either standalone personal computers (PCs) or laptops. None of these\n         systems are connected to the NRC local area network when processing safeguards and/or\n         classified information.4\n\nPURPOSE\n\n         The system evaluation objective was to test the effectiveness of NRC security policies,\n         procedures, practices, and controls for listed systems processing safeguards and/or\n         classified information.\n\n\n\n1\n  Safeguards information is sensitive unclassified information that specifically identifies the (1) detailed security\n  measures of a licensee or an applicant for the physical protection of special nuclear material or (2) security\n  measures for the physical protection and location of certain plant equipment vital to the safety of production or\n  utilization facilities. Protection of this information is required pursuant to Section 147 of the Atomic Energy Act of\n  1954, as amended.\n2\n  Classified information is information (such as a document or correspondence) that is designated National Security\n  Information, Restricted Data, or Formerly Restricted Data.\n3\n  The other three categories are major application, general support system, and other.\n4\n  Systems used to process safeguards and/or classified information may be connected to the NRC local area network,\n  but only if the removable hard drive containing the safeguards and/or classified data is removed from the\n  PC/laptop, and replaced with a separate hard drive used for unclassified processing.\n\n\n                                                           i\n\x0c                                                                  System Evaluation of Listed Systems\n\n\n\nRESULTS IN BRIEF\n\n      Carson Associates reviewed the security policies, procedures, practices, and controls for\n      listed systems processing safeguards and/or classified information and found that:\n\n         \xe2\x80\xa2   The inventory of listed systems is inaccurate and information is inconsistent.\n         \xe2\x80\xa2   Some listed systems lack required security plans.\n         \xe2\x80\xa2   Some security controls are not implemented as required.\n\n      Inventory of Listed Systems Is Inaccurate and Information Is Inconsistent\n\n      NRC Management Directive (MD) 12.5, NRC Automated Information Security Program,\n      assigns the NRC Chief Information Officer responsibility for developing and maintaining\n      a master inventory of all agency systems, including listed systems. This inventory is\n      maintained by the Office of Information Services (OIS). Regional administrators, office\n      directors, and system sponsors/owners are responsible for ensuring that information\n      systems sponsored by their offices are included in the agency\xe2\x80\x99s master inventory of all\n      agency systems. They are required to work with the agency to update and revalidate the\n      master inventory of systems on an annual basis.\n\n      Despite this requirement, the master inventory of listed systems is not accurate and\n      information for listed systems that are composed of multiple components is not\n      consistently reported. The agency lacks procedures for maintaining and updating the\n      inventory of listed systems.\n\n      Some Listed Systems Lack Required Security Plans\n\n      MD 12.5 requires all listed systems to have an up-to-date, approved security plan before\n      the system is put into operation. Office directors, regional administrators, and system\n      sponsors/owners are responsible for developing the security plans. The Chief\n      Information Officer is responsible for reviewing and approving the security plans.\n      However, some listed systems lack required security plans because the agency has not\n      implemented procedures to ensure that all listed systems have approved, up-to-date\n      security plans prior to a system becoming operational. Also, there are no procedures for\n      ensuring that system owners/sponsors respond to agency requests for security plan\n      updates in a timely manner.\n\n      Some Security Controls Are Not Implemented As Required\n\n      MD 12.5 describes the security controls required for all NRC systems, including listed\n      systems. The agency has developed a security template that must be used for listed\n      systems that process safeguards and/or classified information. This template includes\n      additional security controls beyond those found in MD 12.5. Despite these requirements,\n      some security controls are not being implemented as required because the agency has no\n      procedures in place for verifying that security controls described in a system\xe2\x80\x99s security\n      plan are actually being implemented.\n\n\n                                               ii\n\x0c                                                                  System Evaluation of Listed Systems\n\n\n\n\nRECOMMENDATIONS\n\n     This report makes recommendations to the Executive Director for Operations to improve\n     the security policies, procedures, practices, and controls for listed systems processing\n     safeguards and/or classified information. A consolidated list of recommendations\n     appears on page 11 of this report.\n\nAGENCY COMMENTS\n\n     The Office of the Inspector General (OIG) provided this report in draft to agency officials\n     and discussed its content at an exit conference on July 15, 2005. We modified the report\n     as we determined appropriate in response to our discussion. Agency officials generally\n     agreed with the report\xe2\x80\x99s findings and recommendations and opted not to include formal\n     comments.\n\n\n\n\n                                              iii\n\x0c                                  System Evaluation of Listed Systems\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                       System Evaluation of Listed Systems\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nFISMA    Federal Information Security Management Act\nFY       Fiscal Year\nID       Identifier\nISSO     Information System Security Officer\nLAN      Local Area Network\nMD       Management Directive\nNRC      Nuclear Regulatory Commission\nOIG      Office of the Inspector General\nOIS      Office of Information Services\nPC       Personal Computer\n\n\n\n\n                                       v\n\x0c                                  System Evaluation of Listed Systems\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              vi\n\x0c                                                                                         System Evaluation of Listed Systems\n\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\n\n1 Background .............................................................................................................. 1\n\n2 Purpose .................................................................................................................... 1\n\n3 Findings.................................................................................................................... 1\n    3.1     Inventory of Listed Systems Is Inaccurate and Information Is\n            Inconsistent ..................................................................................................... 2\n    3.2     Some Listed Systems Lack Required Security Plans .................................. 5\n    3.3     Some Security Controls Are Not Implemented As Required....................... 6\n4 Consolidated List of Recommendations ............................................................. 11\n\n5 OIG Response to Agency Comments .................................................................. 12\n\n\nAppendix\n\n    Appendix A: Scope and Methodology ............................................................... 13\n\n\n\n\n                                                              vii\n\x0c                                  System Evaluation of Listed Systems\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              viii\n\x0c                                                                               System Evaluation of Listed Systems\n\n\n\n1          Background\n\nOn December 17, 2002, the President signed the E-Government Act of 2002, which included\nFISMA.5 FISMA outlines the information security management requirements for agencies,\nwhich include (1) an independent evaluation of an agency\xe2\x80\x99s information security program and\npractices and (2) an evaluation of the effectiveness of information security control techniques.\nFISMA also requires an assessment of compliance with requirements and related information\nsecurity policies, procedures, standards, and guidelines.\n\nAs part of the FY 2005 FISMA independent evaluation of NRC\xe2\x80\x99s information technology\nsecurity program, Carson Associates reviewed security controls for listed systems that process\nsafeguards and/or classified information.\n\nListed Systems That Process Safeguards and/or Classified Information\n\nListed systems represent one of four categories used by NRC to group the agency\xe2\x80\x99s systems on\nits master inventory of systems. A listed system is a computerized information system or\napplication that (1) processes sensitive information requiring additional security protections and\n(2) may be important to an NRC office\xe2\x80\x99s or region\xe2\x80\x99s operations, but which is not a major\napplication when viewed from an agency perspective. Most of the systems in this category\nprocess safeguards and/or classified information. Many of the listed systems processing\nsafeguards and/or classified information are either standalone PCs or laptops. None of these\nsystems are connected to the NRC local area network when processing safeguards and/or\nclassified information.\n\nOf the 179 listed systems on the agency\xe2\x80\x99s master inventory, 140 process safeguards and/or\nclassified information. Carson Associates selected 61 of the 140 listed systems that process\nsafeguards and/or classified information for evaluation, and reviewed any security plans and\nsupporting documentation on file. Carson Associates met with the points of contact for 17 of the\n61 selected listed systems to verify that security controls described in the security plan are\nactually implemented.\n\n2          Purpose\n\nThe system evaluation objective was to test the effectiveness of NRC security policies,\nprocedures, practices, and controls for listed systems processing safeguards and/or classified\ninformation.\n\n3          Findings\n\nCarson Associates reviewed the security policies, procedures, practices, and controls for listed\nsystems processing safeguards and/or classified information and found that:\n\n\n5\n    The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the E-\n    Government Act of 2002 (Public Law 107-347), and replaces the Government Information Security Reform Act,\n    which expired in November 2002.\n\n\n                                                         1\n\x0c                                                                               System Evaluation of Listed Systems\n\n\n\n\n      \xe2\x80\xa2   The inventory of listed systems is inaccurate and information is inconsistent.\n      \xe2\x80\xa2   Some listed systems lack required security plans.\n      \xe2\x80\xa2   Some security controls are not implemented as required.\n\n3.1       Inventory of Listed Systems Is Inaccurate and Information Is Inconsistent\n\nMD 12.5 assigns the NRC Chief Information Officer6 responsibility for developing and\nmaintaining a master inventory of all agency systems, including listed systems. This inventory is\nmaintained by OIS, and includes the following information:\n\n      \xe2\x80\xa2   Office \xe2\x80\x93 the NRC office that owns or sponsors the system.\n      \xe2\x80\xa2   System \xe2\x80\x93 the system\xe2\x80\x99s name, which for listed systems is most often the tag number of the\n          PC or laptop.\n      \xe2\x80\xa2   Hardware \xe2\x80\x93 the system\xe2\x80\x99s hardware (Laptop, PC, Server, local area network (LAN),7 and\n          Other).\n      \xe2\x80\xa2   Primary information system security officer (ISSO) \xe2\x80\x93 the primary ISSO appointed for the\n          system.\n      \xe2\x80\xa2   Phone # \xe2\x80\x93 primary ISSO\xe2\x80\x99s phone number.\n      \xe2\x80\xa2   Type of information processed \xe2\x80\x93 five columns used to indicate the type of information\n          processed by the system (e.g., safeguards, confidential, secret, top secret, sensitive\n          compartmented information). A system can process more than one type of information.\n          If no column contains a check mark, the system does not process safeguards and/or\n          classified information.\n      \xe2\x80\xa2   Security Plan Date \xe2\x80\x93 date of the security plan on file with OIS.\n      \xe2\x80\xa2   Security Plan Current Status \xe2\x80\x93 status of the security plan (Final-Approved, Sent for\n          Revision, Returned, Overdue, and Draft).\n      \xe2\x80\xa2   System Status \xe2\x80\x93 current status of the system (Active, Develop, Retired, and Unknown).\n      \xe2\x80\xa2   New Plan Due \xe2\x80\x93 date the system owner must submit an updated plan.\n\nMD 12.5 requires regional administrators, office directors, and system sponsors/owners to ensure\nthat information systems sponsored by their offices are included in the agency\xe2\x80\x99s master inventory\nof all agency systems. They are required to work with the agency to update and revalidate the\nmaster inventory of systems on an annual basis.\n\nDespite the agency requirement for maintaining a master inventory of all agency systems, the\nmaster inventory of listed systems is not accurate and information for listed systems that are\ncomposed of multiple components is not consistently reported.\n6\n  In January 2005, the Office of the Chief Information Officer was renamed Office of Information Services. The\n  Chief Information Officer is responsible for oversight of the Office of Information Services.\n7\n  The LANs found on the inventory of listed systems are standalone networks, and are not connected to the NRC\n  network or any other network.\n\n\n                                                        2\n\x0c                                                                                  System Evaluation of Listed Systems\n\n\n\n\nInventory of Listed Systems Is Inaccurate\n\nThe following are some examples of inaccuracies found in the inventory.\n\n    \xe2\x80\xa2    Errors in the types of information handled by listed systems. The first inventory of\n         listed systems provided to Carson Associates by the agency included check marks in the\n         safeguards column for systems that do not handle safeguards information. Carson\n         Associates identified these inaccuracies while trying to select which listed systems to\n         evaluate. OIS staff were not aware of the inaccuracies until Carson Associates brought\n         them to their attention, and a revised inventory of listed systems was then provided.\n\n         However, there are at least three systems on the revised inventory that are still incorrectly\n         categorized according to the type(s) of data they process. One system had a check mark\n         in the safeguards column, but the system does not process safeguards information. One\n         system had check marks in the safeguards, confidential, and secret columns, but it only\n         processes safeguards information. The third system had no check marks indicating the\n         types of information handled by the system, when in fact it handles confidential, secret,\n         top secret, and sensitive compartmented information. Carson Associates reviewed an\n         inventory report from the FY 2004 FISMA evaluation and found that report also\n         contained similar errors.\n    \xe2\x80\xa2    Errors in security plan dates. Of the 61 listed systems chosen for evaluation, Carson\n         Associates identified 3 with approved security plans on file with a more recent date than\n         the security plan date in the inventory. In addition, Carson Associates identified two\n         listed systems with approved security plans on file, but the inventory indicated either no\n         security plan date/status, or that the security plan was sent back for revisions.\n    \xe2\x80\xa2    Errors in system status. Of the 61 listed systems chosen for evaluation, 3 had a status\n         of \xe2\x80\x9cActive,\xe2\x80\x9d when in fact the systems were retired. Carson Associates learned from the\n         system owner of one of the retired systems that another listed system, not chosen for\n         evaluation, had also been retired. Another system chosen for evaluation had a status of\n         \xe2\x80\x9cActive,\xe2\x80\x9d but the security plan on file had a note on the cover stating the system was\n         retired and the owner was being contacted for disposal.8\n    \xe2\x80\xa2    Errors in system tag numbers. Of the 61 listed systems chosen for evaluation, 3 had\n         incorrect tag numbers. These systems had been \xe2\x80\x9crefreshed\xe2\x80\x9d in the past year, and\n         therefore had new tag numbers.9 The inventory still used the previous tag number as the\n         system name, making it difficult to determine if the system being evaluated was the\n         correct system.\n\nThe agency lacks procedures for maintaining and updating the inventory of listed systems. For\nexample, there are no procedures for updating the system name (i.e., tag number) or system\nstatus. One system owner stated that when one of their systems was retired, OIS asked for a\n8\n  MD 12.5 states that removable storage media that contain classified or sensitive information should be sent to the\n  Division of Facilities and Security for retention or destruction.\n9\n  When the systems were refreshed, the removable hard drives containing safeguards and/or classified information\n  were retained by the system owner for re-use in the new systems.\n\n\n                                                          3\n\x0c                                                                     System Evaluation of Listed Systems\n\n\n\nmemorandum requesting the change in status. According to the system owner, the memorandum\nshould address the disposition of the system, including the information residing on the system,\nand a statement that the system is no longer being used at NRC. Carson Associates could not\nfind the requirement for this type of memorandum in any current NRC policy, so it is not clear\nhow, or if, this requirement is conveyed to the system sponsors/owners.\n\nInformation for Listed Systems Composed of Multiple Components Is Not Consistently\nReported\n\nSome of the listed systems on the inventory are composed of multiple components. In some\ncases, each component is listed as a separate system on the inventory. In other cases, the\nindividual components are not listed as separate systems, but are represented as one system on\nthe inventory. The following are examples of inconsistencies in how listed systems composed of\nmultiple components are reported on the inventory.\n\n   \xe2\x80\xa2   The inventory of listed systems includes 10 systems owned by the Office of the Chief\n       Financial Officer. Of the 10, 9 systems are actually a group of applications that, along\n       with the License Fee Reports System, compose the Fee Systems, which is a major\n       application, not a listed system. The inventory of listed systems indicates these systems\n       lack security plans, when in fact they are covered by the Fees Systems security plan and\n       do not require separate security plans.\n   \xe2\x80\xa2   Of the 61 listed systems selected for evaluation, 7 were listed with a hardware type of\n       \xe2\x80\x9cOther.\xe2\x80\x9d Two of the seven were actually printers associated with other listed systems on\n       the inventory. None of the other listed systems selected for evaluation that have printers\n       associated with them have their printers listed on the inventory.\n   \xe2\x80\xa2   There are three listed systems on the inventory with a hardware type of \xe2\x80\x9cLAN.\xe2\x80\x9d These\n       are systems that are composed of several workstations, servers, and printers, yet they are\n       represented on the inventory as a single system. However, Carson Associates identified\n       five systems on the inventory that actually compose another standalone network. In this\n       case, the components of the standalone network are listed individually on the inventory,\n       instead of as a single system.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   1. Correct the inaccuracies in the inventory of listed systems.\n   2. Validate the inventory of listed systems annually.\n   3. Develop procedures for notifying OIS of changes in system information for listed\n      systems on the inventory.\n   4. Develop procedures for recording inventory information for listed systems that are\n      composed of multiple components.\n\n\n\n\n                                                4\n\x0c                                                                       System Evaluation of Listed Systems\n\n\n\n3.2       Some Listed Systems Lack Required Security Plans\n\nMD 12.5 requires all listed systems to have an up-to-date, approved security plan before the\nsystem is put into operation. Office directors, regional administrators, and system\nsponsors/owners are responsible for developing the security plans. The Chief Information\nOfficer is responsible for reviewing and approving security plans. Security plans prepared for\nlisted systems that process safeguards and/or classified information are required to use the\nabbreviated security plan format that is provided by OIS.\n\nThe completed security plan is to be submitted to OIS with a memorandum that (1) documents\nhow the security requirements to protect the sensitive information are being satisfied, (2)\ndiscusses the implemented security controls, and (3) describes any residual risks that may exist.\nThe security plan is reviewed by OIS staff, and approval of the abbreviated security plan results\nin system security accreditation (which is the management approval to operate). Approval is\nindicated either by a memorandum from the Senior Information Technology Security Officer\nstating that the plan has been approved, or by a signature page attached to the plan with\nsignatures from the system owner and the designated approving authority indicating the plan has\nbeen approved. If the system is maintained off-site, a signed agreement that governs this off-site\narrangement must be attached to the security plan.\n\n      \xe2\x80\xa2   Missing security plans. Of the 61 listed systems chosen for evaluation, 14 lack required\n          security plans. Of the 14, 12 are \xe2\x80\x9cActive\xe2\x80\x9d systems. Of the 12 \xe2\x80\x9cActive\xe2\x80\x9d systems, 3 have\n          no security plan on file, 2 have security plans that have been submitted to OIS, but they\n          have been sent back to the system owner/sponsor for revisions, 2 have a security plan\n          status of \xe2\x80\x9cDraft,\xe2\x80\x9d and 5 have overdue security plans.\n      \xe2\x80\xa2   Approved security plans without supporting documentation. Of the 61 listed systems\n          chosen for evaluation, 2 had a status of \xe2\x80\x9cFinal \xe2\x80\x93Approved,\xe2\x80\x9d but the agency did not have\n          supporting documentation on file indicating the security plan was actually approved.\n          Carson Associates also identified two more listed systems that have approved security\n          plans, but the security plans are marked \xe2\x80\x9cConfidential\xe2\x80\x9d and are on file with the system\n          owner instead of with OIS. However, the final memoranda approving the systems were\n          not marked \xe2\x80\x9cConfidential,\xe2\x80\x9d and were not on file with OIS. The system owner stated that\n          they submitted the required documentation to OIS for one of the systems, however there\n          is nothing on file indicating where that documentation can be located. Of the 61 listed\n          systems chosen for evaluation, 2 are stored off-site (one in Baltimore, Maryland, and one\n          in Chicago, Illinois), however, the required off-site storage agreement was not attached to\n          their security plans.\n      \xe2\x80\xa2   Overdue security plans. Of the 79 listed systems that process safeguards and/or\n          classified information that Carson Associates did not select for evaluation, the inventory\n          indicates that 66 of them are \xe2\x80\x9cActive.\xe2\x80\x9d Yet, 2 have no security plans and 22 have\n          security plans that have been sent back to the system owner/sponsor for revisions. Two\n          were sent back over 6 months ago, 16 were sent back over a year ago, and 4 were sent\n          back over 2 years ago. Of the 79 systems, 6 have a system status of \xe2\x80\x9cDevelop\xe2\x80\x9d and also\n          do not have approved security plans. The inventory indicates that the security plans for\n          the development systems were also sent back for revisions over a year ago.\n\n\n\n                                                   5\n\x0c                                                                     System Evaluation of Listed Systems\n\n\n\n\nSome listed systems lack required security plans because the agency has not implemented\nprocedures to ensure all listed systems have approved, up-to-date security plans in place prior to\na system becoming operational. System owners/sponsors are operating listed systems without an\napproved security plan because the agency has no procedures for ensuring system\nowners/sponsors respond to OIS requests for security plans and security plan updates in a timely\nmanner. The agency cannot be certain that system sponsors/owners of listed systems processing\nsafeguards and/or classified information have adequate controls in place to protect the\ninformation because not all of the systems have the required security plans.\n\nRECOMMENDATIONS\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      5. Develop procedures for ensuring all listed systems have an up-to-date, approved security\n         plan prior to being put into operation.\n      6. Develop procedures for ensuring system owners/sponsors respond to OIS requests for\n         security plan updates in a timely manner.\n\n3.3       Some Security Controls Are Not Implemented As Required\n\nMD 12.5 describes the security controls required for all NRC systems, including listed systems.\nSome of these security controls, as they apply specifically to systems that process safeguards\nand/or classified information, are derived from other NRC Management Directives and Federal\nregulations, including:\n\n      \xe2\x80\xa2   NRC MD 12.1, NRC Facility Security Program\n      \xe2\x80\xa2   NRC MD 12.2, NRC Classified Information Security Program\n      \xe2\x80\xa2   NRC MD 12.3, NRC Personnel Security Program\n      \xe2\x80\xa2   NRC MD 12.6, NRC Sensitive Unclassified Information Security Program\n      \xe2\x80\xa2   Department of Defense 5220.22M, National Industrial Security Program Operating\n          Manual (February 2001)\n      \xe2\x80\xa2   National Telecommunication and Information Systems Security Advisory Memorandum\n          on Office Automation Security Guideline (January 1987)\n\nThe agency has also developed a security plan template that must be used for listed systems that\nprocess safeguards and/or classified information. This template includes additional security\ncontrols beyond those found in MD 12.5. Listed systems that process safeguards and/or\nclassified information are required to have the following controls in place.\n\n      \xe2\x80\xa2   Warning banner. MD 12.5 requires NRC systems to be configured to display a warning\n          banner to users upon first accessing NRC automated information resources. The security\n          plan template does not specify the use of a warning banner.\n\n\n\n                                                 6\n\x0c                                                                     System Evaluation of Listed Systems\n\n\n\n\n   \xe2\x80\xa2   Unique user identifiers (IDs). MD 12.5 requires user IDs to be issued on a one-to-one\n       basis, and group user IDs are not permitted without special authorization. The security\n       plan template requires all personnel authorized to process data on the system to be\n       assigned a unique account, user name, and password to access the system.\n   \xe2\x80\xa2   Password change. MD 12.5 requires systems to automatically force all users to change\n       passwords at specified time intervals. The security plan template does not require users\n       to change passwords at specified time intervals.\n   \xe2\x80\xa2   Screen saver. MD 12.5 requires a password protected screen saver, set to activate after\n       15 minutes of inactivity. The security plan template includes a stronger requirement for\n       screen savers. The screen saver must activate after 5 minutes of inactivity.\n   \xe2\x80\xa2   Audit trails. MD 12.5 describes auditing controls as security controls that support\n       accountability by providing a chronology of user actions. They should be applied\n       commensurate with the risks and magnitude of harm that may result from the loss,\n       misuse, or unauthorized access to or modification of the system or the information it\n       processes. The security plan template requires that (1) each user\xe2\x80\x99s actions on the system\n       are to be audited and (2) the audit logs are to be reviewed at least monthly.\n   \xe2\x80\xa2   Sensitivity marking. MD 12.5 requires all media containing sensitive information to be\n       clearly labeled to indicate the sensitivity level of the most sensitive information contained\n       on the media. The sensitivity level of the data should be clearly visible in human\n       readable form on its exterior, electronically within the file containing the sensitive\n       information, and on workstation, console, and PC monitor screens whenever sensitive\n       information is displayed. The security plan template includes a stronger requirement for\n       sensitivity marking. The system must have a display background indicating the type of\n       data being processed.\n   \xe2\x80\xa2   Configuration management. The security plan template requires information\n       technology security patches to be applied to the operating system and installed software.\n       The frequency is not defined in the template.\n   \xe2\x80\xa2   Virus updates. The security plan template requires virus signatures to be updated\n       weekly.\n\nCarson Associates met with the points of contact for 17 of the 61 selected listed systems to verify\nthat security controls described in the respective security plans are actually implemented, and\nfound that some security controls are not being implemented as required.\n\n   \xe2\x80\xa2   Warning banner. Of the 17 systems evaluated, 7 do not display any type of warning\n       banner prior to users accessing the system. Of these seven, three are systems running\n       operating systems that do not support individual user IDs. Therefore, displaying a\n       warning banner prior to user access is not possible.\n   \xe2\x80\xa2   Unique user IDs. Of the 17 systems evaluated, 3 do not have separate accounts for each\n       user authorized to use the system. These systems are running an operating system that\n       does not support individual user IDs.\n\n\n\n\n                                                 7\n\x0c                                                                                      System Evaluation of Listed Systems\n\n\n\n\n       \xe2\x80\xa2    Password change. At least 2 of the 17 systems evaluated do not force users to change\n            their passwords at specified time intervals. Both of these systems are running operating\n            systems that support the enforcement of periodic password changes.\n       \xe2\x80\xa2    Screen saver. Of the 17 systems evaluated, 4 do not have any type of screen saver. One\n            of these systems is running an operating system that does not support a screen saver, and\n            the configuration of that system is controlled by another Federal agency that provides\n            NRC with the software to run the system. Three additional systems have screen savers,\n            but all three activate after more than 5 minutes of inactivity, as required in the security\n            plan template. In addition, one of them is not password protected.\n       \xe2\x80\xa2    Audit trails. Of the 17 systems evaluated, 3 do not audit user actions. Two additional\n            systems audit user actions, but the audit trails are not reviewed as required.\n       \xe2\x80\xa2    Sensitivity marking. Of the 17 systems evaluated, 5 do not have a background display\n            indicating the type of information being processed as required by the security plan\n            template. However three of them have external labels on the PC or laptop indicating the\n            type of information being processed, as required by MD 12.5.\n       \xe2\x80\xa2    Configuration management. Of the 17 systems evaluated, 5 have not had any security\n            patches applied to their operating systems, despite the release of security patches for the\n            operating systems after the systems were put into operation.\n       \xe2\x80\xa2    Virus updates. Of the 17 systems evaluated, 3 have not updated their virus signatures as\n            required. Virus signatures were updated on one of the three systems once after the\n            system was put into operation, but they have not been updated since.\n\nSecurity controls are not being implemented as required because the agency has no procedures in\nplace for verifying that security controls described in a system\xe2\x80\x99s security plan are actually being\nimplemented. In addition, some of the operating systems currently in use on the listed systems\nthat were evaluated do not support some of the required security controls.\n\nThe Chief Information Officer may grant exceptions to or deviations from MD 12.5,10 however\nnone of the security plans indicated that the systems were granted exceptions for not\nimplementing some of the required security controls. Therefore, Carson Associates could not\ndetermine whether the deviations from the required security controls were made with approval\nfrom the Chief Information Officer, or whether the security controls were just not being\nimplemented.\n\nAlthough the risk associated with the lack of security controls for listed systems that process\nsafeguards and/or classified information is reduced since they are rarely, if ever, connected to a\nnetwork, NRC is not in compliance with its requirements for implementing security controls on\nlisted systems that process safeguards and/or classified information.\n\n\n\n10\n      Exceptions to or deviations from MD 12.5 may be granted except for those areas in which the responsibility or\n     authority is vested solely with the Commission, the Executive Director for Operations, or the Office of\n     Administration and is not delegable, or for matters specifically required by law, Executive order, or directive to be\n     referred to other management officials.\n\n\n                                                              8\n\x0c                                                                  System Evaluation of Listed Systems\n\n\n\nRECOMMENDATIONS\n\n  The Office of the Inspector General recommends that the Executive Director for Operations:\n\n  7. Develop procedures for verifying all required security controls are implemented on listed\n     systems.\n  8. Require listed systems that process safeguards and/or classified information to use\n     operating systems that support the implementation of required security controls.\n  9. Require security plans to include documentation approving any exceptions to the required\n     security controls.\n  10. Modify the security plan template for listed systems that process safeguards and/or\n      classified information to require warning banners and password changes at specified time\n      intervals.\n\n\n\n\n                                              9\n\x0c                                  System Evaluation of Listed Systems\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              10\n\x0c                                                                      System Evaluation of Listed Systems\n\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Correct the inaccuracies in the inventory of listed systems.\n    2. Validate the inventory of listed systems annually.\n    3. Develop procedures for notifying OIS of changes in system information for listed\n       systems on the inventory.\n    4. Develop procedures for recording inventory information for listed systems that are\n       composed of multiple components.\n    5. Develop procedures for ensuring all listed systems have an up-to-date, approved security\n       plan prior to being put into operation.\n    6. Develop procedures for ensuring system owners/sponsors respond to OIS requests for\n       security plan updates in a timely manner.\n    7. Develop procedures for verifying all required security controls are implemented on listed\n       systems.\n    8. Require listed systems that process safeguards and/or classified information to use\n       operating systems that support the implementation of required security controls.\n    9. Require security plans to include documentation approving any exceptions to the required\n       security controls.\n    10. Modify the security plan template for listed systems that process safeguards and/or\n        classified information to require warning banners and password changes at specified time\n        intervals.\n\n\n\n\n                                                11\n\x0c                                                                 System Evaluation of Listed Systems\n\n\n\n5      OIG Response to Agency Comments\n\nOIG provided this report in draft to agency officials and discussed its content at an exit\nconference on July 15, 2005. We modified the report as we determined appropriate in response\nto our discussion. Agency officials generally agreed with the report\xe2\x80\x99s findings and\nrecommendations and opted not to include formal comments.\n\n\n\n\n                                              12\n\x0c                                                                                            Appendix A\n                                                                   System Evaluation of Listed Systems\n\n\nSCOPE AND METHODOLOGY\n\nTo perform the system evaluation of listed systems that process safeguards and/or classified\ninformation, Carson Associates reviewed the agency\xe2\x80\x99s inventory of listed systems, and selected a\nsubset of listed systems for evaluation. Only listed systems processing safeguards and/or\nclassified information were selected. Carson Associates selected at least one system for each\nNRC office that processes safeguards and/or classified information, and reviewed the security\nplans and other documentation on file. Carson Associates met with the points of contact for\nsome of the systems to verify that security controls described in the security plan are actually\nimplemented. The inventory of listed systems was also evaluated for overall accuracy and\ncompliance with NRC policies and procedures.\n\nOf the 179 listed systems on the agency\xe2\x80\x99s master inventory, 140 process safeguards and/or\nclassified information. Carson Associates selected 61 of the 140 listed systems that process\nsafeguards and/or classified information for evaluation, and reviewed any security plans and\nsupporting documentation on file. Carson Associates met with the points of contact for 17 of the\n61 selected listed systems.\n\nThe work was conducted from April 2005 to June 2005 in accordance with guidelines from the\nNational Institute of Standards and Technology, and best practices for evaluating security\ncontrols. Jane Laroussi from Carson Associates conducted the work.\n\n\n\n\n                                               13\n\x0c                                                           Appendix A\n                                  System Evaluation of Listed Systems\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              14\n\x0c'